You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/web-application-firewall/ag/application-gateway-crs-rulegroups-rules.md
+33-60Lines changed: 33 additions & 60 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,56 +21,6 @@ You can disable rules individually, or set specific actions for each rule. This
21
21
> [!NOTE]
22
22
> When you change a ruleset version in a WAF Policy, you should forward your existing rule action and state overrides and exclusions to apply on the new ruleset version. For more information, see [Upgrading or changing ruleset version](upgrade-ruleset-version.md).
23
23
24
-
## Understanding CVE protection coverage
25
-
26
-
### How WAF protects against CVEs
27
-
28
-
Application Gateway WAF provides protection against known Common Vulnerabilities and Exposures (CVEs) through a combination of:
29
-
30
-
-**OWASP Core Rule Set (CRS)**: Many CVEs are detected through generic OWASP CRS rules that identify common attack patterns (SQL injection, XSS, RCE, etc.) without requiring CVE-specific rules.
31
-
-**Microsoft Threat Intelligence CVE rules**: The MS-ThreatIntel-CVEs rule group contains rules specifically designed to detect exploitation attempts of high-profile CVEs. These rules are developed and maintained by Microsoft's Threat Intelligence team.
32
-
-**Continuous updates**: Both OWASP CRS and Microsoft Threat Intelligence rules are updated regularly as new vulnerabilities are discovered and attack patterns evolve.
33
-
34
-
### CVE detection timing and dependencies
35
-
36
-
Whether a specific CVE is detectable by WAF depends on several factors:
37
-
38
-
1.**OWASP CRS updates**: The OWASP community must identify the vulnerability pattern and develop detection rules. This process can take time depending on the complexity of the vulnerability and community response.
39
-
40
-
2.**Microsoft Threat Intelligence response**: For critical and widely-exploited CVEs, Microsoft may develop specific detection rules and release them as part of the MS-ThreatIntel-CVEs rule group independent of OWASP update cycles.
41
-
42
-
3.**Rule set version**: Protection is only available if you're using a rule set version that includes the relevant detection rules. Regularly upgrading to the latest Default Rule Set (DRS) ensures you have the most current protections.
43
-
44
-
4.**Generic pattern coverage**: Some CVEs might already be caught by existing generic rules (such as SQL injection or XSS rules) even before CVE-specific rules are published.
45
-
46
-
### Finding CVE coverage information
47
-
48
-
To determine if WAF protects against a specific CVE:
49
-
50
-
1.**Check the MS-ThreatIntel-CVEs rule group**: Review the [MS-ThreatIntel-CVEs rules](#drs99001-22) in the DRS 2.2 section below. Each rule lists the specific CVE ID it detects in its description.
51
-
52
-
2.**Review rule descriptions**: CVE-specific rules include links to the official CVE record (e.g., CVE-2022-22963) in their descriptions.
53
-
54
-
3.**Consider generic rules**: Even if a CVE isn't listed explicitly, it may be detected by generic OWASP rules in other rule groups (SQLI, XSS, RCE, etc.) that match the vulnerability's attack pattern.
55
-
56
-
4.**Check for updates**: Microsoft updates the MS-ThreatIntel-CVEs rule group as new high-priority vulnerabilities emerge. Always use the latest DRS version for maximum coverage.
57
-
58
-
### Currently covered CVEs
59
-
60
-
The WAF includes specific detection rules for high-profile CVEs such as:
- SharePoint, Oracle WebLogic, and other enterprise application CVEs
65
-
66
-
For the complete list of CVE-specific rules and their IDs, see the [MS-ThreatIntel-CVEs rule group](#drs99001-22) section below.
67
-
68
-
> [!TIP]
69
-
> If you need protection against a specific CVE that isn't explicitly listed:
70
-
> - Upgrade to the latest DRS version to ensure you have the most recent rules
71
-
> - Test with a sample exploit to see if existing generic rules catch the attack pattern
72
-
> - Contact Azure support if you require protection for a specific high-priority CVE not currently covered
73
-
74
24
## Default rule set 2.2
75
25
76
26
Default rule set (DRS) 2.2 is based on Open Web Application Security Project (OWASP) Core Rule Set 3.3.4, bringing refinements to existing detections and new protections, including rules that detect content types declared outside the actual content-type header and enhanced remote code execution (RCE) detections. DRS 2.2 includes additional proprietary protections rules developed by Microsoft Threat Intelligence team, which expand coverage across SQL injection, XSS, and application-security attack patterns.
@@ -154,15 +104,6 @@ Use the following guidance to tune WAF while you get started with DRS 2.1 on App
154
104
|99001016|MS-ThreatIntel-CVEs|Attempted Spring Cloud Gateway Actuator injection [CVE-2022-22947](https://www.cve.org/CVERecord?id=CVE-2022-22947)|Keep the rule enabled to prevent against SpringShell vulnerability|
155
105
|99001017|MS-ThreatIntel-CVEs|Attempted Apache Struts file upload exploitation [CVE-2023-50164](https://www.cve.org/CVERecord?id=CVE-2023-50164)|Set action to Block to prevent against Apache Struts vulnerability. Anomaly Score not supported for this rule|
156
106
157
-
## Core rule sets (CRS) - legacy
158
-
159
-
The recommended managed rule set is the latest Default Rule Set 2.2, which is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.4 and includes additional proprietary protections rules developed by Microsoft Threat Intelligence team and updates to signatures to reduce false positives. When creating a new WAF policy you should use the latest, recommended ruleset version DRS 2.2. If you have an existing WAF policy using DRS 2.1, CRS 3.2 or CRS 3.1, it's recommended to upgrade to DRS 2.2. For more information, see [Upgrade CRS or DRS ruleset version](upgrade-ruleset-version.md).
160
-
161
-
> [!NOTE]
162
-
> - CRS 3.2 is only available on the WAF_v2 SKU. You can't downgrade from CRS 3.2 to CRS 3.1 or earlier because CRS 3.2 runs on the new Azure WAF engine. It's recommended to upgrade to the latest DRS 2.1 directly and validate new rules safely by changing the new rules' action to log mode. For more information, see [Validate new rules safely](upgrade-ruleset-version.md#validate-new-rules-safely).
163
-
>
164
-
> - Web Application Firewall (WAF) running on Application Gateway for Containers doesn't support the Core Ruleset (CRS).
165
-
166
107
## Tuning of Managed rule sets
167
108
168
109
Both DRS and CRS are enabled by default in Detection mode in your WAF policies. You can disable or enable individual rules within the Managed Rule Set to meet your application requirements. You can also set specific actions per rule. The DRS/CRS supports block, log, and anomaly score actions. The Bot Manager ruleset supports the allow, block, and log actions.
@@ -200,13 +141,45 @@ Paranoia Levels 3 and 4 aren't currently supported in Azure WAF.
200
141
> [!NOTE]
201
142
> CRS 3.2 ruleset includes rules in PL3 and PL4, but these rules are always inactive and can't be enabled, regardless of their configured state or action.
202
143
203
-
###Upgrading or changing ruleset version
144
+
## Upgrading or changing ruleset version
204
145
205
146
If you're upgrading, or assigning a new ruleset version, and would like to preserve existing rule overrides and exclusions, it's recommended to use PowerShell, CLI, REST API, or a template to make ruleset version changes. A new version of a ruleset can have newer rules or additional rule groups, which you might want to validate safely. It's recommended to validate changes in a test environment, fine tune if necessary, and then deploy in a production environment.
206
147
For more information, see [Upgrade CRS or DRS ruleset version](upgrade-ruleset-version.md)
207
148
208
149
If you're using the Azure portal to assign a new managed ruleset to a WAF policy, all the previous customizations from the existing managed ruleset such as rule state, rule actions, and rule level exclusions will be reset to the new managed ruleset's defaults. However, any custom rules, policy settings, and global exclusions will remain unaffected during the new ruleset assignment. You'll need to redefine rule overrides and validate changes before deploying in a production environment.
209
150
151
+
## Understanding CVE protection in Azure WAF
152
+
153
+
Azure Application Gateway WAF protects against CVEs through:
154
+
155
+
-**Generic protections (DRS / OWASP CRS)**: Many CVEs are already mitigated by existing rules that detect common attack patterns such as SQL injection, XSS, and RCE.
156
+
-**CVE-specific protections (Microsoft Threat Intelligence)**: For high-impact vulnerabilities, dedicated rules are released in the [MS-ThreatIntel-CVEs](?tabs=drs22#drs99001-22) rule group.
157
+
158
+
Always use the latest Default Rule Set (DRS) for the most up-to-date protection and reduced false positives.
159
+
160
+
To check coverage:
161
+
162
+
- Review the [MS-ThreatIntel-CVEs](?tabs=drs22#drs99001-22) rule group
163
+
- Check rule descriptions for CVE references
164
+
- Keep in mind that many CVEs are covered by generic protections even if not explicitly listed
165
+
166
+
If a CVE isn’t explicitly covered:
167
+
168
+
- Upgrade to the latest DRS
169
+
- Validate against existing rules or use custom rules if needed
170
+
- Contact Azure support if you require protection for a specific high-priority CVE not currently covered
171
+
172
+
173
+
## Core rule sets (CRS) - legacy
174
+
175
+
The recommended managed rule set is the latest Default Rule Set 2.2, which is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.4 and includes additional proprietary protections rules developed by Microsoft Threat Intelligence team and updates to signatures to reduce false positives. When creating a new WAF policy you should use the latest, recommended ruleset version DRS 2.2. If you have an existing WAF policy using DRS 2.1, CRS 3.2 or CRS 3.1, it's recommended to upgrade to DRS 2.2. For more information, see [Upgrade CRS or DRS ruleset version](upgrade-ruleset-version.md).
176
+
177
+
> [!NOTE]
178
+
> - CRS 3.2 is only available on the WAF_v2 SKU. You can't downgrade from CRS 3.2 to CRS 3.1 or earlier because CRS 3.2 runs on the new Azure WAF engine. It's recommended to upgrade to the latest DRS 2.1 directly and validate new rules safely by changing the new rules' action to log mode. For more information, see [Validate new rules safely](upgrade-ruleset-version.md#validate-new-rules-safely).
179
+
>
180
+
> - Web Application Firewall (WAF) running on Application Gateway for Containers doesn't support the Core Ruleset (CRS).
181
+
182
+
210
183
### Bot Manager 1.0
211
184
212
185
The Bot Manager 1.0 rule set provides protection against malicious bots and detection of good bots. The rules provide granular control over bots detected by WAF by categorizing bot traffic as Good, Bad, or Unknown bots.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments